Date
Severity
Moderately Critical
Vulnerability
Access Bypass
Affected versions
<7.x-5.8

Description

The Mailchimp module provides tools for creating and managing MailChimp email campaigns with Drupal content. It includes an autocomplete endpoint at `admin/config/services/mailchimp/campaigns/entities` used to search and select site entities (e.g., nodes) when composing campaign content.

The endpoint was registered with `'access callback' => TRUE`, bypassing all access control and making it publicly accessible to unauthenticated users. A visitor could query this endpoint with arbitrary strings to search entity titles across the site and retrieve matching entity titles and IDs.

This vulnerability is mitigated by the fact that the module is relatively uncommon and the endpoint only returns entity titles and numeric IDs, not body content or other sensitive fields.

Solution

Install the latest version.

If you use the Mailchimp module for Drupal 7, upgrade to mailchimp 7.x-5.8:


Reported by

Fixed by

  • Tag1 D7ES

Coordinated by